ISO/IEC 27001:2013 Information Security Management Standards
The International Organization for Standardization (ISO) is an independent nongovernmental organization and the world’s largest developer of voluntary international standards. The International Electrotechnical Commission (IEC) is the world’s leading organization for the preparation and publication of international standards for electrical, electronic, and related technologies.
Published under the joint ISO/IEC subcommittee, the ISO/IEC 27000 family of standards outlines hundreds of controls and control mechanisms to help organizations of all types and sizes keep information assets secure. These global standards provide a framework for policies and procedures that include all legal, physical, and technical controls involved in an organization’s information risk management processes.
ISO/IEC 27001 is a security standard that formally specifies an Information Security Management System (ISMS) that is intended to bring information security under explicit management control. As a formal specification, it mandates requirements that define how to implement, monitor, maintain, and continually improve the ISMS. It also prescribes a set of best practices that include documentation requirements, divisions of responsibility, availability, access control, security, auditing, and corrective and preventive measures. Certification to ISO/IEC 27001 helps organizations comply with numerous regulatory and legal requirements that relate to the security of information.
The international acceptance and applicability of ISO/IEC 27001 is the key reason why certification to this standard is at the forefront of Microsoft’s approach to implementing and managing information security. Microsoft’s achievement of ISO/IEC 27001 certification points up its commitment to making good on customer promises from a business, security compliance standpoint. Currently, both Azure Public and Azure Germany are audited once a year for ISO/IEC 27001 compliance by a third party accredited certification body, providing independent validation that security controls are in place and operating effectively.
Frequently asked questions
Compliance with these standards, confirmed by an accredited auditor, demonstrates that Microsoft uses internationally recognized processes and best practices to manage the infrastructure and organization that support and deliver its services. The certificate validates that Microsoft has implemented the guidelines and general principles for initiating, implementing, maintaining, and improving the management of information security.
The Service Trust Portal provides independently audited compliance reports. You can use the portal to request reports so that your auditors can compare Microsoft's cloud services results with your own legal and regulatory requirements.
Yes. The annual ISO/IEC 27001 certification process for the Microsoft Cloud Infrastructure and Operations group includes an audit for operational resiliency. To preview the latest certificate, click the link below.
- Microsoft Azure: ISO/IEC 27001:2013 certificate for Microsoft Cloud Infrastructure and Operations
- Azure Germany
Adopting ISO/IEC 27001 is a strategic commitment. As a starting point, consult the ISO/IEC 27000 Directory.
Yes. If your business requires ISO/IEC 27001 certification for implementations deployed on Microsoft services, you can use the applicable certification in your compliance assessment. You are responsible, however, for engaging an assessor to evaluate the controls and processes within your own organization and your implementation for ISO/IEC 27001 compliance.
Audit reports and certificates
Microsoft cloud services are audited at least annually against the ISO 27001:2013 standard.
- Azure, Intune, Power BI, Cloud App Security, Microsoft PowerApps, Microsoft Flow, Microsoft Graph, Microsoft Genomics, and Microsoft Datacenters – ISO 27001 Certificate
- Azure - Germany ISO 27001 Certificate
- Dynamics 365 - (formerly Dynamics CRM) ISO 27001 - Information Security Management Standards – Certificate
- Dynamics 365 - Microsoft Dynamics Marketing Service (MDM) ISO 27001 - Information Security Management Standards – Certificate
- Dynamics 365 - Microsoft Social Engagement Service ISO 27001 - Information Security Management Standards – Certificate
Visual Studio Team Services
Windows Defender ATP
Assessments and reports
- Azure, Intune, Power BI, Cloud App Security, Microsoft PowerApps, Microsoft Flow, Microsoft Graph, Microsoft Genomics, and Microsoft Datacenter - ISO 27001 and 27018 Audit Assessment Report
- Azure, Intune, Power BI, Cloud App Security, Microsoft PowerApps, Microsoft Flow, Microsoft Graph, Microsoft Genomics, and Microsoft Datacenter - ISO 27001 and 27018 Statement of Applicability (SOA) 2017
- Office 365 - ISO 27001, ISO 27018, and ISO 27017 Audit Assessment Report
- Office 365 Information Security Management System (ISMS) - Statement Of Applicability for Security and Privacy
- Office 365 - Germany ISO 27001 ISO 27017 and ISO 27018 Audit Assessment Report
- Yammer ISO 27001 Audit Assessment Report
- Dynamics 365 (formerly Dynamics CRM) ISO 27001 Audit Assessment Report 2017
- Dynamics 365 - ISO 27001 Statement of Applicability (SOA)
Visual Studio Team Services
Windows Defender ATP
- Windows ISO 27001 Audit assessment report for Windows Defender Advanced Threat Protection
- Windows – ISO 27001 Statement of applicability for Windows Defender Advanced Threat Protection
Microsoft in-scope services
Covered services include:
- Azure, Azure Government, and Azure Germany detailed list
- Cloud App Security
- Commercial Support: Premier and on premises for Azure, Dynamics 365, Intune, and for medium business and enterprise customers of Office 365
- Dynamics 365 and Dynamics 365 U.S. Government detailed list
- Microsoft Flow cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Office 365, Office 365 U.S. Government, and Office 365 U.S. Government Defense detailed list
- PowerApps cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite
- Visual Studio Team Services
- Windows Defender ATP
- The ISO/IEC 27000 Directory
- ISO/IEC 27001: 2013 standard (for purchase)
- Microsoft sets a high bar for information security (BSI case study)
- Microsoft Common Controls Hub Compliance Framework
- Microsoft Online Services Terms
- Microsoft Cloud for Government